diff --git a/.changelog/24540.txt b/.changelog/24540.txt new file mode 100644 index 000000000..79c5aa1cd --- /dev/null +++ b/.changelog/24540.txt @@ -0,0 +1,3 @@ +```release-note:security +security: Added more host environment variables to the default deny list for tasks +``` diff --git a/command/agent/host/host.go b/command/agent/host/host.go index edd9b6d31..666f22aff 100644 --- a/command/agent/host/host.go +++ b/command/agent/host/host.go @@ -96,12 +96,16 @@ func environment() map[string]string { // Update https://developer.hashicorp.com/nomad/docs/configuration/client#env-denylist // whenever this is changed. var DefaultEnvDenyList = []string{ - "CONSUL_TOKEN", - "CONSUL_HTTP_TOKEN", - "VAULT_TOKEN", - "NOMAD_LICENSE", - "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", - "GOOGLE_APPLICATION_CREDENTIALS", + // product tokens + "CONSUL_TOKEN", "CONSUL_HTTP_TOKEN", "CONSUL_HTTP_TOKEN_FILE", "NOMAD_TOKEN", "VAULT_TOKEN", + // licenses + "CONSUL_LICENSE", "NOMAD_LICENSE", "VAULT_LICENSE", + // license paths + "CONSUL_LICENSE_PATH", "NOMAD_LICENSE_PATH", "VAULT_LICENSE_PATH", + // AWS sensitive variables + "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AWS_METADATA_URL", + // GCP sensitive variables + "GOOGLE_APPLICATION_CREDENTIALS", "GOOGLE_OAUTH_ACCESS_TOKEN", } // makeEnvRedactSet creates a set of well known environment variables that should be diff --git a/command/agent/host/host_test.go b/command/agent/host/host_test.go index 8c9e2e8e6..7fbca180f 100644 --- a/command/agent/host/host_test.go +++ b/command/agent/host/host_test.go @@ -25,6 +25,8 @@ func TestMakeHostData(t *testing.T) { t.Setenv("BOGUS_TOKEN", "foo") t.Setenv("BOGUS_SECRET", "foo") t.Setenv("ryanSECRETS", "foo") + t.Setenv("CONSUL_LICENSE_PATH", "foo") + t.Setenv("AWS_ACCESS_KEY_ID", "foo") host, err := MakeHostData() must.NoError(t, err) @@ -38,4 +40,6 @@ func TestMakeHostData(t *testing.T) { must.Eq(t, "", host.Environment["BOGUS_TOKEN"]) must.Eq(t, "", host.Environment["BOGUS_SECRET"]) must.Eq(t, "", host.Environment["ryanSECRETS"]) + must.Eq(t, "", host.Environment["CONSUL_LICENSE_PATH"]) + must.Eq(t, "", host.Environment["AWS_ACCESS_KEY_ID"]) } diff --git a/website/content/docs/configuration/client.mdx b/website/content/docs/configuration/client.mdx index bf4ef73f7..1c4e6b6f3 100644 --- a/website/content/docs/configuration/client.mdx +++ b/website/content/docs/configuration/client.mdx @@ -304,12 +304,21 @@ see the [drivers documentation](/nomad/docs/drivers). ```text CONSUL_TOKEN CONSUL_HTTP_TOKEN + CONSUL_HTTP_TOKEN_FILE + NOMAD_TOKEN VAULT_TOKEN + CONSUL_LICENSE NOMAD_LICENSE + VAULT_LICENSE + CONSUL_LICENSE_PATH + NOMAD_LICENSE_PATH + VAULT_LICENSE_PATH AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN + AWS_METADATA_URL GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_OAUTH_ACCESS_TOKEN ``` - `"user.denylist"` `(string: see below)` - Specifies a comma-separated diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx index 296aefdc0..1575cf8ca 100644 --- a/website/content/docs/upgrade/upgrade-specific.mdx +++ b/website/content/docs/upgrade/upgrade-specific.mdx @@ -13,6 +13,14 @@ upgrade. However, specific versions of Nomad may have more details provided for their upgrades as a result of new features or changed behavior. This page is used to document those details separately from the standard upgrade flow. +## Nomad 1.9.4 + +In Nomad 1.9.4, the [default client env deny +list](/nomad/docs/configuration/client#env-denylist) includes additional +environment variables to improve security. Users who need some of these secure +environment variables passed to their tasks should consult the list and +overwrite it in the configuration. + ## Nomad 1.9.3 In Nomad 1.9.3, the mechanism used for calculating when objects are eligible